deps: upgrade openssl sources to 1.0.2d

This just replaces all sources of openssl-1.0.2d.tar.gz
into deps/openssl/openssl

deps: copy all openssl header files to include dir

All symlink files in `deps/openssl/openssl/include/openssl/`
 are removed and replaced with real header files to avoid
issues on Windows.

deps: fix openssl assembly error on ia32 win32

`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
perhaps others) are requiring .686 .

Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>

deps: fix asm build error of openssl in x86_win32

See
https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html

iojs needs to stop using masm and move to nasm or yasm on Win32.

Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

openssl: fix keypress requirement in apps on win32

Reapply b910613792dac946b295855963869933a9089044 .

Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

deps: add -no_rand_screen to openssl s_client

In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.

Fixes: https://github.com/nodejs/io.js/issues/1461
PR-URL: https://github.com/nodejs/io.js/pull/1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

PR-URL: https://github.com/nodejs/io.js/pull/2141
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

6 files changed, 85 insertions, 6 deletions

diff --git a/deps/openssl/openssl/doc/apps/verify.pod b/deps/openssl/openssl/doc/apps/verify.pod
index df1b86dfe5..bffa6c0ec4 100644
--- a/deps/openssl/openssl/doc/apps/verify.pod
+++ b/deps/openssl/openssl/doc/apps/verify.pod
@@ -15,6 +15,7 @@ B<openssl> B<verify>
 [B<-attime timestamp>]
 [B<-check_ss_sig>]
 [B<-crlfile file>]
+[B<-crl_download>]
 [B<-crl_check>]
 [B<-crl_check_all>]
 [B<-policy_check>]
@@ -29,6 +30,7 @@ B<openssl> B<verify>
 [B<-untrusted file>]
 [B<-help>]
 [B<-issuer_checks>]
+[B<-trusted file>]
 [B<-verbose>]
 [B<->]
 [certificates]
@@ -69,6 +71,10 @@ because it doesn't add any security.
 
 File containing one or more CRL's (in PEM format) to load.
 
+=item B<-crl_download>
+
+Attempt to download CRL information for this certificate.
+
 =item B<-crl_check>
 
 Checks end entity certificate validity by attempting to look up a valid CRL.
@@ -133,6 +139,11 @@ be found that is trusted. With this option that behaviour is suppressed so that
 only the first chain found is ever used. Using this option will force the
 behaviour to match that of previous OpenSSL versions.
 
+=item B<-trusted file>
+
+A file of additional trusted certificates. The file should contain multiple
+certificates in PEM format concatenated together.
+
 =item B<-policy_print>
 
 Print out diagnostics related to policy processing.
diff --git a/deps/openssl/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod b/deps/openssl/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod
index c8a8128795..109f561324 100644
--- a/deps/openssl/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod
+++ b/deps/openssl/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod
@@ -29,6 +29,7 @@ and issuer names.
 X509_NAME_get_index_by_NID() and X509_NAME_get_index_by_OBJ() retrieve
 the next index matching B<nid> or B<obj> after B<lastpos>. B<lastpos>
 should initially be set to -1. If there are no more entries -1 is returned.
+If B<nid> is invalid (doesn't correspond to a valid OID) then -2 is returned.
 
 X509_NAME_entry_count() returns the total number of entries in B<name>.
 
@@ -63,6 +64,10 @@ The list of all relevant B<NID_*> and B<OBJ_* codes> can be found in
 the source code header files E<lt>openssl/obj_mac.hE<gt> and/or
 E<lt>openssl/objects.hE<gt>.
 
+Applications which could pass invalid NIDs to X509_NAME_get_index_by_NID()
+should check for the return value of -2. Alternatively the NID validity
+can be determined first by checking OBJ_nid2obj(nid) is not NULL.
+
 =head1 EXAMPLES
 
 Process all entries:
@@ -95,6 +100,8 @@ Process all commonName entries:
 
 X509_NAME_get_index_by_NID() and X509_NAME_get_index_by_OBJ()
 return the index of the next matching entry or -1 if not found.
+X509_NAME_get_index_by_NID() can also return -2 if the supplied
+NID is invalid.
 
 X509_NAME_entry_count() returns the total number of entries.
 
diff --git a/deps/openssl/openssl/doc/crypto/X509_STORE_CTX_new.pod b/deps/openssl/openssl/doc/crypto/X509_STORE_CTX_new.pod
index b17888f149..eb38b0a109 100644
--- a/deps/openssl/openssl/doc/crypto/X509_STORE_CTX_new.pod
+++ b/deps/openssl/openssl/doc/crypto/X509_STORE_CTX_new.pod
@@ -39,10 +39,15 @@ X509_STORE_CTX_free() completely frees up B<ctx>. After this call B<ctx>
 is no longer valid.
 
 X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation.
-The trusted certificate store is set to B<store>, the end entity certificate
-to be verified is set to B<x509> and a set of additional certificates (which
-will be untrusted but may be used to build the chain) in B<chain>. Any or
-all of the B<store>, B<x509> and B<chain> parameters can be B<NULL>.
+It must be called before each call to X509_verify_cert(), i.e. a B<ctx> is only
+good for one call to X509_verify_cert(); if you want to verify a second
+certificate with the same B<ctx> then you must call X509_XTORE_CTX_cleanup()
+and then X509_STORE_CTX_init() again before the second call to
+X509_verify_cert(). The trusted certificate store is set to B<store>, the end
+entity certificate to be verified is set to B<x509> and a set of additional
+certificates (which will be untrusted but may be used to build the chain) in
+B<chain>. Any or all of the B<store>, B<x509> and B<chain> parameters can be
+B<NULL>.
 
 X509_STORE_CTX_trusted_stack() sets the set of trusted certificates of B<ctx>
 to B<sk>. This is an alternative way of specifying trusted certificates 
diff --git a/deps/openssl/openssl/doc/crypto/X509_verify_cert.pod b/deps/openssl/openssl/doc/crypto/X509_verify_cert.pod
index 5253bdcd70..a22e44118c 100644
--- a/deps/openssl/openssl/doc/crypto/X509_verify_cert.pod
+++ b/deps/openssl/openssl/doc/crypto/X509_verify_cert.pod
@@ -32,7 +32,8 @@ OpenSSL internally for certificate validation, in both the S/MIME and
 SSL/TLS code.
 
 The negative return value from X509_verify_cert() can only occur if no
-certificate is set in B<ctx> (due to a programming error) or if a retry
+certificate is set in B<ctx> (due to a programming error); if X509_verify_cert()
+twice without reinitialising B<ctx> in between; or if a retry
 operation is requested during internal lookups (which never happens with
 standard lookup methods). It is however recommended that application check
 for <= 0 return value on error.
diff --git a/deps/openssl/openssl/doc/ssl/SSL_CTX_get0_param.pod b/deps/openssl/openssl/doc/ssl/SSL_CTX_get0_param.pod
new file mode 100644
index 0000000000..332f181187
--- /dev/null
+++ b/deps/openssl/openssl/doc/ssl/SSL_CTX_get0_param.pod
@@ -0,0 +1,55 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_get0_param, SSL_get0_param, SSL_CTX_set1_param, SSL_set1_param -
+get and set verification parameters
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
+ X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl)
+ int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
+ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
+
+=head1 DESCRIPTION
+
+SSL_CTX_get0_param() and SSL_get0_param() retrieve an internal pointer to
+the verification parameters for B<ctx> or B<ssl> respectively. The returned
+pointer must not be freed by the calling application.
+
+SSL_CTX_set1_param() and SSL_set1_param() set the verification parameters
+to B<vpm> for B<ctx> or B<ssl>.
+
+=head1 NOTES
+
+Typically parameters are retrieved from an B<SSL_CTX> or B<SSL> structure
+using SSL_CTX_get0_param() or SSL_get0_param() and an application modifies
+them to suit its needs: for example to add a hostname check.
+
+=head1 EXAMPLE
+
+Check hostname matches "www.foo.com" in peer certificate:
+
+ X509_VERIFY_PARAM *vpm = SSL_get0_param(ssl);
+ X509_VERIFY_PARAM_set1_host(vpm, "www.foo.com");
+
+=head1 RETURN VALUES
+
+SSL_CTX_get0_param() and SSL_get0_param() return a pointer to an
+B<X509_VERIFY_PARAM> structure.
+
+SSL_CTX_set1_param() and SSL_set1_param() return 1 for success and 0
+for failure.
+
+=head1 SEE ALSO
+
+L<X509_VERIFY_PARAM_set_flags(3)|X509_VERIFY_PARAM_set_flags(3)>
+
+=head1 HISTORY
+
+These functions were first added to OpenSSL 1.0.2.
+
+=cut
diff --git a/deps/openssl/openssl/doc/ssl/SSL_CTX_use_serverinfo.pod b/deps/openssl/openssl/doc/ssl/SSL_CTX_use_serverinfo.pod
index da7935c83d..318e052e2b 100644
--- a/deps/openssl/openssl/doc/ssl/SSL_CTX_use_serverinfo.pod
+++ b/deps/openssl/openssl/doc/ssl/SSL_CTX_use_serverinfo.pod
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file
+SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file - use serverinfo extension
 
 =head1 SYNOPSIS